Sad News and New Projects
Feb 12, 2015
Sad Things
BroncoStory has met its end… It looks like Snapchat is blocking access to the API we used to run the service. We don’t know why we specifically; the reverse engineered kit we were using for access itself seems to be fine, but for some reason accessing only the BroncoStory account through it doesn’t seem to work.
At the peak, BroncoStory had over 1400 unique views to its snaps, and plans for monetization were on the horizon… but alas, no more. It was fun while it lasted though!
Happy Things
Get Git is a few users away from 400 users of the extension! I’ve been getting some great feedback from Reddit as well; I’m really pleased with how it’s done.
On another note, I’m doing some last minute preparing to begin alpha releases of Bishop. Bishop is a vulnerability scanner that is the spiritual successor to Get Git. It’s built on the same principle – recursively check websites you browse for the existence of certain files, which, confirmed by its contents, can indicate security vulnerabilities or weaknesses that need to be shored up. If Get Git is a metal detector, though, Bishop is an X-Ray machine. The scanning engine is built around custom rules, not just Git repo detection, and supports Regex matching to confirm filetype and contents. Just a few examples of built in rules include:
- Git/SVN scanning for different kinds of accessibility (accessible source code)
- JS evals that concatenate in a variable (injection risk)
- Vulnerable phpMyAdmin installs, TimThumb installs, web indexes that have php.exe listed (all arbitrary PHP execution)
- and more!
It handles staggering of XHR requests (e.g. 15 running rules * 6 recursed URL’s = 90 XHR requests — it piles up quickly), as well as JSON exporting, discrete and loud alerting, icon badges so you can disable all alerts and still see what’s on the sites you browse, and more.
I’m definitely not releasing this to the Chrome Store — although it’s open source and MIT licensed, it’s a pretty simple way to spot a lot of (very low hanging, but still exploitable) vulnerabilities, so I’m hoping that at least a few people that wouldn’t be using this responsibly get weeded out by it not being a one click install.
It is up on GitHub; feature addition is mostly done and now I’m testing. I’m expecting to tag a v1.0 sometime in the coming days, so keep your eyes peeled, and please ping me if you’re interested to give it a spin!